Multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257.
News of the exploitation activity comes from threat monitoring platform The Shadowserver Foundation, which observed 85 infections on July 14 and 77 on the next day.
The researchers reported that these Fortinet FortiWeb instances are believed to be compromised through the CVE-2025-25257 flaw.
CVE-2025-25257 is a critical pre-authenticated RCE via SQL injection (SQLi) affecting FortiWeb 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.4.0 through 7.4.7, and 7.0.0 through 7.0.10.
Fortinet released patches on July 8, 2025, urging users to upgrade to FortiWeb 7.6.4, 7.4.8, 7.2.11, or 7.0.11 and later versions of each branch.
"An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests," explained Fortinet.
On July 11, exploits were made public by cybersecurity firm WatchTowr, and a co-discoverer of the flaw, "faulty *ptrrr." These exploits demonstrated methods for planting webshells or opening reverse shells on unpatched endpoints.
The exploitation involves performing SQLi via crafted Authorization headers in HTTP requests sent to /api/fabric/device/status, which writes a malicious .pth file into Python's 'site-packages.'
A legitimate FortiWeb CGI script (/cgi-bin/ml-draw.py) is then accessed remotely, causing the code in the malicious .pth file to be executed and achieving remote code execution on the device.
At the time, there was no evidence of active exploitation in the wild, but the release of public exploits made patching critical for administrators.
... continue reading